Oracle has just fixed 25 vulnerabilities in its aging Java platform, including one that's already being exploited in attacks.

Out of the 25 vulnerabilities fixed in Java, 23 can be exploited remotely without authentication. Sixteen flaws affect only the client deployment and five affect both client and server deployments.

The most high-risk vulnerability fixed in this Java update is known as CVE-2015-2590 and had zero-day status until this update. This means attackers were already exploiting it while no fix was available. An exploit for this was uncovered by researchers from Trend Micro in attacks that targeted at the armed forces of an unnamed NATO country and a US defence organization.

The attacks were launched by Pawn Storm which is tied to Russia's intelligence services. The group has been active since 2007 and typically targets military, government and media organizations.

In addition to Java, Oracle also updated a wide range of other products, fixing a total of 193 vulnerabilities, 44 stemming from third-party components. Clearly it was a day for a confession or two.

Oracle released Java 8 Update 51, Java 7 Update 85 and Java 6 Update 101. Only the Java 8 update is publicly available, because general support for Java 7 and Java 6 ended some time ago and you will have to pay to have your system sorted out.

Rich Trouton, a Mac systems administrator who runs the Der Flounder blog has discovered that a Java installer is installing adware, in the form of the Ask Toolbar.

Basically when you install Java you get an application to install the god awful Ask Toolbar with the box checked by default. It is nothing new in IT land but it is an indication of how short sighted a company is ifit is prepared to annoy its customers for what amounts to chump change.

Rahul Kashyup, chief security architect, Bromium told Fudzilla that it’ not uncommon for few large brands such as Oracle, Adobe to ‘bundle’ packages along with their software. In fact Oracle has been doing this for some time now.

The Ask.com add-on is known to get installed as a BHO (Browser Helper Object). Due to its dubious nature of installation and capabilities this is regarded as a ‘PUP – Potentially Unwanted Program’, a term used by the cyber security industry to navigate legal notices by the creators of such software.

Unfortunately some large brands are using their credibility to package such software. People need to be vigilant to avoid installing such undesired bundled software."

Fraser Kyne, principal systems engineer, Bromium said that the announcement is good news to those who spend all their time patching Java. They will finally have an excuse not to do it. All they have to tell their boss is upgrading to the new version of Java places their organisation at risk of malware.

“The sad truth is, for many organisations the concept of moving to a recent version of Java is light years away anyway. Adware concerns just add more weight on top of other security concerns, which are then balanced against the very real cost of modifying the application estate,” he said.

Georg Lukas (no not him another one) has penned a detailed post claiming that Google is using what he calls ‘horribly broken’ RC4 and MD5 as the default cipher on all SSL connections of Android devices.

He said that both both are extremely insecure as they are both broken and can be easily compromised, but what is odd is that Android used to use a pretty strong DHE-RSA-AES256-SHA ciphers till Android version 2.2.1. During the release of Android 2.3.4 when RC4 and MD5 were elevated as the default cipher and they are still being used on latest Android versions.

But it seems it was neither NSA spooks nor Google’s intention to weaken Android that was the reason for the dodgy promotion of RC4 and MD5. Lucas found that it was all Oracle’s fault. Google engineers were simply implementing what Java’s Reference Implementation (RI 6) were recommending.

Lucas further said the cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility. Question is how soon will it take Google to fix the problem, or will its chums in the NSA say that it can’t.

Microsoft research is showing that there has been a spike in malware targeting Java vulnerabilities since the third quarter of 2011. Much of the activity has focused on vulnerabilities which are already patched. This suggests that attackers are hitting vulnerabilities that are in multiple versions of Java, rather than just one specific version. Jeong Wook Oh of Microsoft said that in Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found.

“But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723. The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6,” he said.

As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. During 2012 there were two kinds of Java vulnerabilities one applied to both multiple versions of Java including Java 6 and 7, and the others only applies to Java 7.

“So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package,” Oh said.

Of the four Java vulnerabilities from 2012 only one of which was a zero day vulnerablity. The other three flaws already had patches available when the malware targeting them appeared. The warning here is to install patches as soon as they come out.

Spanish insecurity experts from Informatica64 used a JavaScript Trojan horse to steal information from spammers and scammers, which is a bit like giving AIDS back to monkeys. In a presentation at the Black Hat security conference, security consultant Chema Alonso showed off a somewhat dodgy method to snoop on some very questionable people online.

The pair replaced cached JavaScript with an attacker's copy and used this to inject the JavaScript file into a victim's browser. Alonso set up an anonymous proxy server and then published its Internet address on a proxy forum. Within a day, more than 4,000 computers had connected to the proxy server and had the poisoned JavaScript file in their browser caches.

According to Dark Reading, Alonso found a variety of low-level criminals using their proxy server. There were fraudsters posing as British immigration officials offering work permits, a bloke pretending to be a pretty woman on a number of dating sites to con victims into sending money for a plane ticket there was another fraud involving flogging non-existent Yorkshire Terriers. By replacing one of the JavaScript files with a malicious version via the proxy server, the attacker can tailor attacks for a specific site, he told the conference.

He thought that it was likely that companies and governments are already using this technique to eavesdrop on criminal activity. He said that he could collect that amount of data in only one day doing nothing with two small JavaScript files. He thought it was too easy for governments and spooks to do the same thing.

The only way for people to sure that they are safe is that they use servers that they trust. In addition, privacy-sensitive people should regularly clear the browser cache.

Oracle has announced today announced the availability of Java Platform, Standard Edition 7 which is the first release of the Java platform since it bought Sun. In a statement Oracle said that Java SE 7 release was the result of industry-wide development involving open review, weekly builds and extensive collaboration between Oracle engineers and members of the worldwide Java ecosystem via the OpenJDK Community and the Java Community Process (JCP).

Under the bonnet are language changes to help increase developer productivity and simplify common programming tasks by reducing the amount of code needed, clarifying syntax and making code easier to read. There is also improved support for dynamic languages including: Ruby, Python and JavaScript which Oracle claims brings ubstantial performance increases to the Java Virtual Machine. There is a multicore-ready API that enables developers to more easily decompose problems into tasks that can then be executed in parallel across arbitrary numbers of processor cores.

Also designed is an I/O interface for working with file systems that can access a wider array of file attributes and offer more information when errors occur and new networking and security features. Everything is backwards compatible and so Java software developers don't have to upgrade their software.

Groklaw has found proof that when Google first introduced Android, Sun, Java’s creator, was in favor of it.

When Android first came out, Sun CEO Jonathan Schwartz, then Java’s owner, greeted the news with “heartfelt congratulations.” Oracle has apparently taken the unprecidented step of deleting the blog post where Schwartz said this, but Groklaw found the page and has republished it.

In the blog Schwartz congratulates Google “on the announcement of their new Java/Linux phone platform, Android.” He says that at “Sun is the first platform software company to commit to a complete developer environment around the platform, as we throw Sun’s NetBeans developers platform for mobile devices behind the effort. We’ve obviously done a ton of work to support developers on all Java based platforms, and we’re pleased to add Google’s Android to the list.”

So Java’s owner at the time not only welcomed Android’s use of Java, they were actively supporting it with development tools. The digging up of evidence basically ruins Oracle's case against Android.

Kaspersky Lab has announced that vulnerabilities in Adobe’s apps have kicked Microsoft’s behind, and the latter company no longer boasts the title of the mother of all perforated ships. The company published a report on Q1 2011 and a vulnerability ladder, and Adobe’s “work” seems to have finally paid off.

Unlike in 2010, Microsoft only had one Office-related vulnerability in top ten, but I guess there’s always a new OS that will set things right. On the other hand, Adobe’s Acrobat Reader buffer flow vulnerability, which proudly sits on top, was found on 40.78% computers, with Flash Player vulnerabilities second and third. That’s not all though, as Reader, Flash and Shockwave make up for half of the ladder. Sun Java JDK/JRE/SDK vulnerabilities came in fourth and fifth with Apple’s Quicktime and Winamp ones coming in sixth and seventh.

Furthermore, it was reported that 89% of malware hosting resources come from 10 countries. The US and Russian Federation sitting at the top of the ladder would make you think that there’s a cold malware war going on, but the Dutch and Chinese seem to be doing fine as well.

Top three countries where surfing runs the highest risk of infection are Russian Federation (49.63%), Oman (49.57%) and Iraq (45.65%). The lowest amount of attacks was reported in Japan, Germany, Serbia, the Czech Republic and Luxembourg.

Apparently it has just realised that the Java is going to be damaged by Apache walking away from the standard's body which sets the software's future. The ASF said that Oracle has too much control over Java and were seriously interfering with athe transparent governance of the ecosystem, the ASF moaned.

What miffed Apache was the field of use restrictions Oracle places on the Java Technology Compatibility Kit (TCK), which the ASF uses to test compliance of its own Apache Harmony open source Java runtime against the Java standard. The restrictions block the open source Harmony's use on mobile platforms.

However now it seems that Oracle wants to be chums again. In a statement it said that Oracle had a responsibility to move Java forward and to maintain the uniformity of the Java standard for the millions of Java developers and the majority of Executive Committee members agree.

“We encourage Apache to reconsider its position and remain a part of the process to move Java forward. ASF and many open source projects within it are an important part of the overall Java ecosystem," the statement said. Apache sponsors some 100 open source projects tied to Java in some manner, among them the Tomcat and Geronimo application servers.

ASF president Jim Jagielski said that he wants more from Oracle. The Java Community Process is "dead” and all that remains is a zombie, walking the streets of the Java ecosystem, looking for brains."

James Gosling, known as the father of Java, said that Oracle’s patent infringement lawsuit versus Google about the technology is all about ego, money and power.

He said that while the two giant's claim it is all about developer freedom or Java fragmentation, Gosling said that there are no guiltless parties with white hats in this little drama. “This skirmish isn't much about patents or principles or programming languages. The suit is far more about ego, money and power,” he said.

Writing in his blog, Gosling is reflecting many people's belief that Oracle’s move is a money grab, not a stake in the ground nor a true move to protect the sanctity of Java. Gosling added that it is a sad comment on the morality of large modern software companies that Microsoft has the high ground. He thinks all the software industry leaders Apple, Google and Oracle are all trying to be Borg in a way that Microsoft never managed.

Gosling added that fragmentation of Java was a valid concern for Sun Microsystems when Google initially approached the company about Android. But at heard of the matter was cash between Sun and Google. Sun wanted some compensation for the large amount we would be spending on engineering and Google did have a financial model that benefited themselves, basically making cash from advertising. The idea was to disrupt Apple and Jobs' Mob's invasion into advertising. If mobile devices take over as the computing platform for consumers, then Google's advertising channel, and the heart of its revenue, gets gutted.

Sun’s fragmentation concerns were warranted, Gosling said and that Android ended up with enough fragmentation to significantly restrict the freedom of software developers. He said that the freedom we were most concerned about was the freedom of software developers to run their applications on whatever OS or hardware they wanted. “In opposition to that, the platform providers [ie Google] wanted the freedom to make their platforms as sticky as possible.”